This website uses cookies to give you the best user experience, for analytics, and improvement of functionalities of this website and third party sites. You can learn more about our use of cookies and similar technologies and your choices by reviewing our Cookies Policy. By clicking "I agree" you agree to our use of cookies and similar technologies.

The Netherlands is the sixth largest economy in the European Union and a global financial center. Due to its business-friendly climate and favorable tax regime, the Netherlands is an attractive location for corporate headquarters and for structuring international transactions.

After years of discussions, the General Data Protection Regulation (the GDPR), has finally been adopted and is due to come into effect 25 May 2018. The GDPR will replace the current Data Protection Directive and will be directly applicable in all EU member states.

Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 145 locations serving 60-plus countries.

GDPR update overview

GDPR update overview

May 25, 2018

Today, May 25, 2018, we have come to the last GDPR Update of the current series. During the past 16 months, we have discussed various important topics with regard to the GDPR. For an overview, please see the end of this update.

There has been much public debate surrounding the implementation of the new privacy legislation. The abbreviation ‘GDPR,’ the date of May 25, 2018 and the prospect of €20 million fines have been all over the media, leading to anxiety within many organizations, from globally operating enterprises to local sports clubs.

WP29 publications

We have not been the only ones to publish updates on the GDPR; during the past months, the Article 29 Working Party (the WP29) has not been silent either. The WP29 is an overarching data protection body consisting of local supervisory authorities. It regularly publishes guidelines and opinions on (the interpretation of) various data protection concepts. Although these documents are not legally binding, they do give useful and important insights as to how the supervisory authorities interpret important provisions and principles of the GDPR.

The transparency guidelines and the guidelines on consent have proven to be of particular significance for our clients’ operations.

The WP29’s transparency guidelines focus on the content of organizations’ privacy notices, giving a sharper outline to the requirements as set out in articles 13 and 14 GDPR, as well as on the way and form in which data subjects should be informed about the content of these notices. We highly recommend consulting these guidelines when preparing GDPR-compliant privacy notices. Further, the WP29’s transparency guideline prescribes that data subjects must be actively informed on revisions of the privacy policy, including any revisions made in view of the GDPR, as well as any subsequent material amendments. Possible ways of actively informing data subjects include sending data subjects an e-mail, providing them with a hardcopy version of the policy or implementing a pop-up at the organization’s website displaying the latest changes. WP29’s guidance explicitly sets out that merely publishing the new version of the privacy notice on a website and requiring the data subject to check regularly for changes is not sufficient.

Looking at WP29’s consent guidelines, it becomes clear that controllers should avoid relying on consent as the legal basis for data processing as much as possible, as obtaining valid consent is not at all straightforward. The definition of consent consists of a number of criteria, and the controller should comply with all of them. The WP29 explicitly states that relying on consent should be avoided in the employment context in particular. (However, we understand that certain EU member states do in fact require employers to obtain consent, hindering a harmonized approach across the EU.)

The WP29’s non-binding guidelines and opinions are not always in alignment with common business practices. Moreover, the guidelines are sometimes stricter than the GDPR’s wording. Our experience is that supervisory authorities tend to follow these guidelines closely. In addition, Dutch case law on data protection matters (under the Directive) shows that the Dutch courts attach significant importance to WP29 guidance and opinions.

Enforcement activities by supervisory authorities

A large part of the abovementioned public debate focused on potential enforcement activities by supervisory authorities. Organizations seem to be most worried about being fined, accompanied by negative publicity risks.

This anxiety is strengthened by the Dutch supervisory authority’s (and other local supervisory authorities’) silence with regard to its envisaged enforcement activities. To date, the Dutch supervisory authority (Autoriteit Persoonsgegevens) has not publicized any policies with regard to GDPR enforcement and the imposition of fines in The Netherlands.

We have been receiving many questions from clients who want to understand whether supervisory authorities will start imposing administrative fines immediately after 25 May. As discussed in our GDPR Update on sanctions, we believe this is not to be expected. Organizations that are well underway with implementation of the GDPR today, will likely be subject to other corrective measures prior to being fined. However, supervisory authorities do have the authority to impose fines without warning, and they have clearly left open this possibility.

Final remarks

When looking to implement the GDPR properly, creativity is key: There is little guidance on how various newly introduced requirements should work in practice. The guidance that is available can be found in the recitals of the GDPR, WP29 guidelines, existing policies and guidelines of supervisory authorities and parliamentary documents.

Enforcement activities and binding decisions of supervisory authorities in the coming period will provide additional insight in the interpretation and implementation of the GDPR.

We will continue to provide you with regular updates on the GDPR and the way it is enforced, as well as with relevant developments in the field of personal data protection (e.g. the draft e-Privacy Regulation). Stay tuned!

Leaving Site

Disclaimer

Unsolicited emails and other information sent to Dentons will not be considered confidential, may be disclosed to others, may not receive a response, and do not create a lawyer-client relationship. If you are not already a client of Dentons, please do not send us any confidential information.